Previous Topic: Define SUBMIT Resource RulesNext Topic: Calendar Security

Implementing Security with CA ACF2Define the CA WA CA 7 Edition Agent Job Submission/Command Security

Define the CA WA CA 7 Edition Agent Job Submission/Command Security

If agent job submissions and command executions are being validated, authorizations are performed to verify that the mainframe user (MFUser) is authorized to submit agent jobs to the specific agent name using the agent user ID. Authorizations are also performed to verify that the signed-on user is authorized to perform any agent command executions. The AGCLASS keyword on the SECURITY statement determines the resource class used for these authorizations. If the default AGCLASS FACILITY is not used, set up a class map in the ACF2 Options. An example follows where AGCLASS is the Resource Name and AGT is the resource type:

CLASMAP.AGT RESOURCE(AGCLASS) RSRCTYPE(AGT)

The following are examples of CA WA CA 7 Edition agent job submission and agent command execution rules:

This example illustrates giving job submission authority using a specific agent user ID and specific agent name:

$KEY(CA71) TYPE(AGT)
 AGENTUSR.agent-userid.agent-name UID(CA7USER) SERVICE(READ) ALLOW
$KEY(CA71) AGENTUSR.AGTUSER1.UNIXAGT)

Identifies the resource name in the following format:

(ca7-instance-id) AGENTUSR.agent-userid.agent-name
TYPE(AGT)

Identifies the type of resource rule. If you have specified a resource type other than AGENT (see the SECURITY statement AGCLASS keyword), substitute the CA ACF2 SAFDEF assigned to this resource type for AGT.

UID

Identifies the UID string of users for which this resource rule applies.

SERVICE(READ)

Identifies the access level required to permit use of the resource.

ALLOW

Allows users with a matching UID string access to the indicated resource.

This example illustrates giving agent command execution authority for a specific agent name:

$KEY(CA71) TYPE(AGT)
 AGENTMSG.CONTROL SHUTDOWN.UNIXAGT) UID(CA7USER) SERVICE(READ) ALLOW
$KEY(CA71) AGENTMSG.CONTROL SHUTDOWN.UNIXAGT

Identifies the resource name in the following format:

 (ca7-instance-id) AGENTMSG.verb subverb.agent-name
TYPE(AGT)

Identifies the type of resource rule. If you have specified a resource type other than AGT (see the SECURITY statement AGCLASS keyword), substitute the CA ACF2 SAFDEF assigned to this resource type for AGT.

UID

Identifies the UID string of users for which this resource rule applies.

SERVICE(READ)

Identifies the access level required to permit use of the resource.

ALLOW

Allows users with a matching UID string access to the indicated resource.